diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 298b4793298a08..8970c573efda6f 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 7 #define V8_MINOR_VERSION 9 #define V8_BUILD_NUMBER 317 -#define V8_PATCH_LEVEL 20 +#define V8_PATCH_LEVEL 23 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/execution/isolate.cc b/deps/v8/src/execution/isolate.cc index 2b6bb76d8a9a90..e2d5ce8a40af0f 100644 --- a/deps/v8/src/execution/isolate.cc +++ b/deps/v8/src/execution/isolate.cc @@ -4274,9 +4274,8 @@ void Isolate::AddDetachedContext(Handle context) { HandleScope scope(this); Handle detached_contexts = factory()->detached_contexts(); detached_contexts = WeakArrayList::AddToEnd( - this, detached_contexts, MaybeObjectHandle(Smi::kZero, this)); - detached_contexts = WeakArrayList::AddToEnd(this, detached_contexts, - MaybeObjectHandle::Weak(context)); + this, detached_contexts, MaybeObjectHandle(Smi::kZero, this), + MaybeObjectHandle::Weak(context)); heap()->set_detached_contexts(*detached_contexts); } diff --git a/deps/v8/src/objects/backing-store.cc b/deps/v8/src/objects/backing-store.cc index 7f6d2251a78a70..cc6741765e1962 100644 --- a/deps/v8/src/objects/backing-store.cc +++ b/deps/v8/src/objects/backing-store.cc @@ -605,8 +605,14 @@ std::shared_ptr GlobalBackingStoreRegistry::Lookup( return std::shared_ptr(); } auto backing_store = result->second.lock(); - DCHECK_EQ(buffer_start, backing_store->buffer_start()); - DCHECK_EQ(length, backing_store->byte_length()); + CHECK_EQ(buffer_start, backing_store->buffer_start()); + if (backing_store->is_wasm_memory()) { + // Grow calls to shared WebAssembly threads can be triggered from different + // workers, length equality cannot be guaranteed here. + CHECK_LE(length, backing_store->byte_length()); + } else { + CHECK_EQ(length, backing_store->byte_length()); + } return backing_store; } diff --git a/deps/v8/src/objects/fixed-array.h b/deps/v8/src/objects/fixed-array.h index 1963eef728d9a8..b9d644b4923bd8 100644 --- a/deps/v8/src/objects/fixed-array.h +++ b/deps/v8/src/objects/fixed-array.h @@ -338,6 +338,12 @@ class WeakArrayList : public HeapObject { Isolate* isolate, Handle array, const MaybeObjectHandle& value); + // A version that adds to elements. This ensures that the elements are + // inserted atomically w.r.t GC. + V8_EXPORT_PRIVATE static Handle AddToEnd( + Isolate* isolate, Handle array, + const MaybeObjectHandle& value1, const MaybeObjectHandle& value2); + inline MaybeObject Get(int index) const; inline MaybeObject Get(Isolate* isolate, int index) const; diff --git a/deps/v8/src/objects/objects.cc b/deps/v8/src/objects/objects.cc index ec4a8594f6bd04..227cff8da47a33 100644 --- a/deps/v8/src/objects/objects.cc +++ b/deps/v8/src/objects/objects.cc @@ -3951,6 +3951,20 @@ Handle WeakArrayList::AddToEnd(Isolate* isolate, return array; } +Handle WeakArrayList::AddToEnd(Isolate* isolate, + Handle array, + const MaybeObjectHandle& value1, + const MaybeObjectHandle& value2) { + int length = array->length(); + array = EnsureSpace(isolate, array, length + 2); + // Reload length; GC might have removed elements from the array. + length = array->length(); + array->Set(length, *value1); + array->Set(length + 1, *value2); + array->set_length(length + 2); + return array; +} + bool WeakArrayList::IsFull() { return length() == capacity(); } // static diff --git a/deps/v8/src/wasm/wasm-objects.cc b/deps/v8/src/wasm/wasm-objects.cc index 14e682ce232500..93ce345a5fb06a 100644 --- a/deps/v8/src/wasm/wasm-objects.cc +++ b/deps/v8/src/wasm/wasm-objects.cc @@ -1375,7 +1375,12 @@ int32_t WasmMemoryObject::Grow(Isolate* isolate, new_pages); // Broadcasting the update should update this memory object too. CHECK_NE(*old_buffer, memory_object->array_buffer()); - CHECK_EQ(new_byte_length, memory_object->array_buffer().byte_length()); + // This is a less than check, as it is not guaranteed that the SAB + // length here will be equal to the stashed length above as calls to + // grow the same memory object can come in from different workers. + // It is also possible that a call to Grow was in progress when + // handling this call. + CHECK_LE(new_byte_length, memory_object->array_buffer().byte_length()); return static_cast(old_pages); // success } } diff --git a/deps/v8/test/mjsunit/mjsunit.status b/deps/v8/test/mjsunit/mjsunit.status index f0d473f84a1acf..4fbc027c69c1a7 100644 --- a/deps/v8/test/mjsunit/mjsunit.status +++ b/deps/v8/test/mjsunit/mjsunit.status @@ -930,6 +930,9 @@ # Deadlocks on predictable platform (https://crbug.com/v8/9760). 'wasm/async-compile': [SKIP], 'wasm/streaming-compile': [SKIP], + + # Race between postMessage and wasm memory.grow. (https://crbug.com/1010272). + 'regress/wasm/regress-1010272': [SKIP], }], # 'predictable == True' ############################################################################## diff --git a/deps/v8/test/mjsunit/regress/regress-1016703.js b/deps/v8/test/mjsunit/regress/regress-1016703.js new file mode 100644 index 00000000000000..6830d194fda23a --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-1016703.js @@ -0,0 +1,15 @@ +// Copyright 2019 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --expose-gc + +let realms = []; +for (let i = 0; i < 4; i++) { + realms.push(Realm.createAllowCrossRealmAccess()); +} + +for (let i = 0; i < 4; i++) { + Realm.detachGlobal(realms[i]); + gc(); +} diff --git a/deps/v8/test/mjsunit/regress/wasm/regress-1010272.js b/deps/v8/test/mjsunit/regress/wasm/regress-1010272.js new file mode 100644 index 00000000000000..ff685eda79c8d4 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/wasm/regress-1010272.js @@ -0,0 +1,30 @@ +// Copyright 2019 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --wasm-grow-shared-memory --experimental-wasm-threads + +const kNumWorkers = 100; +const kNumMessages = 50; + +function AllocMemory(initial, maximum = initial) { + return new WebAssembly.Memory({initial : initial, maximum : maximum, shared : true}); +} + +(function RunTest() { + let worker = []; + for (let w = 0; w < kNumWorkers; w++) { + worker[w] = new Worker( + `onmessage = + function(msg) { + msg.memory.grow(1); + }`, {type : 'string'}); + } + + for (let i = 0; i < kNumMessages; i++) { + let memory = AllocMemory(1, 128); + for (let w = 0; w < kNumWorkers; w++) { + worker[w].postMessage({memory : memory}); + } + } +})();